The hidden censors of the internet

Journey with us to a state where an unaccountable panel of
censors vets 95 per cent of citizens' domestic internet
connections. The content coming into each home is checked against a
mysterious blacklist by a group overseen by nobody, which keeps
secret the list of censored URLs not just from citizens, but from
internet service providers themselves. And until recently, few in
that country even knew the body existed. Are we in China? Iran?
Saudi Arabia? No - the United Kingdom, in 2009. This month, we ask:
Who watches the Internet Watch Foundation?

It was on December 5, 2008 that the foundation decided that the
Wikipedia entry for The Scorpions' 1976 album Virgin
Killer was illegal under British law. The album-sleeve
artwork, showing a photo of a naked ten-year-old girl with a
smashed-glass effect masking her genitalia, had been reported to
the IWF via its public-reporting system the day before. It was
deemed to fall under the classification of "Child Abuse Imagery"
(CAI). And because the IWF blacklists such material, and works with
ISPs to stop people accessing it, an estimated 95 per cent of
residential web users were not only unable to access the band's
Wikipedia entry, but also unable to edit the site at all.

When Wired began investigating the foundation last December, our
interest clearly lay not in advocating the use or distribution of
child pornography. We simply wanted to know only what the Wikimedia
Foundation, the owners of the Wikipedia, itself sought to
know.

"The major focus of our response was to publicise the fact of the
block, with an emphasis on its arbitrariness and on the IWF's lack
of accountability," says Wikimedia's general counsel Mike Godwin
(incidentally famed for Godwin's Law, which he coined in 1990 and
which states that "as a Usenet discussion grows longer, the
probability of a comparison involving Nazis or Hitler approaches
1".)

"When we first protested the block, their response was, 'We've now
conducted an appeals process on your behalf and you've lost the
appeal.' When I asked who exactly represented the Wikimedia
Foundation's side in that appeals process, they were silent. It was
only after the fact of their blacklist and its effect on UK
citizens were publicised that the IWF appears to have felt
compelled to relent.

"If we had not been able to publicise what the IWF had done, I
don't doubt that the block would be in place today."

As it happened, the IWF reversed its decision a few days later,
issuing a statement to the effect that, while it still considered
the image to be technically illegal, it had evaluated the specific
"contextual issues" of this landmark case and taken into account
the fact that it was not hosted on a UK server. The incident marked
a major step: the IWF had for once been held up to wider scrutiny.
Concern about the IWF has been voiced by critics such as John
Ozimek - political journalist and author of New Labour, New
Puritanism - and translated into a more explicit concern: that its
lack of accountability could be used as a method of sneaking state
censorship through the back door. The relationship between the IWF
and Home Office is particularly worthy of scrutiny, as Ozimek
explains: "Neither has shown much interest in civil liberties. Few
people who know about the net know much about the IWF, and those
that do know it mostly only as a heroic body fighting child porn.
It has thus been preserved from having to answer awkward questions
about its legal qualifications for carrying out its role, its lack
of public accountability and its failure to apply due
process."

"I think that so long as censorship decisions are being made by an
unaccountable private entity," says Godwin, "the freedom of United
Kingdom citizens is at risk."So how did we get here? In August 1996
- appalled by the distribution of child-abuse imagery on several
newsgroups - Metropolitan Police chief inspector Stephen French
sent an open letter to every ISP in the UK. "We are looking to
you," French wrote, "to monitor your newsgroups, identifying and
taking necessary action against those found to contain such
material." It finished with a statement that was a game-changer:
"We trust that with your co-operation and self-regulation it will
not be necessary for us to move to an enforcement policy." In other
words: you deal with this, or we'll deal with you.

"There had been a failure to get industry consensus to act on the
issue up to that point," remembers Keith Mitchell, who - as the
head of Linx, the London Internet Exchange - was brought in to
discuss the issue by the Department of Trade and Industry,
alongside several major ISPs and representatives from the Internet
Services Providers' Association (Ispa). Together they drew up a
memorandum of understanding, a model for what would soon be
relabelled the Internet Watch Foundation.

The document was called the R3 Agreement. The three Rs were:
"rating", the development of labelling to address the issue of
"harmful and offensive" content; "reporting", a
notice-and-take-down procedure to all ISPs hosting CAI in the UK;
and "responsibility", the promotion of education about such issues.
The categories still remain cornerstones of the expanded remit of
today's IWF, which was (and is) self regulating. Trusting in this,
the government left the ISPs to deal with the matter.

"The IWF was originally very much seen as a positive measure to
avoid a problem for the UK internet industry, rather than a
coercive measure," explains Mitchell. "At first, the Home Office
just seemed to be glad this problem was being taken care of for
them. In terms of its original mission, I think that the IWF has
done an excellent job of keeping CAI off UK-based servers."

In 1998, the government carried out an independent review on how
the IWF was working. The Home Office called in consultants Denton
Hall and KMPG, notes were duly taken, and a "revamped" IWF was
launched in 2000.

"The IWF had reached a point at which it needed to be seen to be
more independent of the industry," explains Roger Darlington,
former head of research at the Communication Workers Union, who was
brought in as an IWF independent chair. "They weren't terribly
clear how it was going to work," he remembers. "I said, 'Look, we
should publish all our board papers and all our board minutes.'
That caused a number of people to swallow hard. But we did it."

Wired UK

Keith Mitchell regards this as the point at which things began
to change for the worse. "Since Tony Blair got in," he says, "there
has been visible mission creep. Various additions to the IWF's
remit have occurred, increasingly without consideration of their
technical effectiveness or practicality. Most notable has been the
introduction of a blacklist."

Introduced in 2004, the blacklist is the IWF's method of ensuring
that members block user access to CAI hosted outside the UK. This
confidential list of URLs is sent in encrypted format to the ISPs,
which are subject to similarly secret terms of agreement regarding
their employees' access to the list. Lilian Edwards, professor of
internet law at Sheffield University and author of Law And The
Internet, feels that such guarded conduct suggests that more may be
going on behind closed doors.

"The government now potentially possesses the power to exclude any
kind of online content from the UK, without the notice of either
the public or the courts," she says. "Perhaps even more worryingly,
any ISP that takes the IWF blacklist can also add whatever URLs
they please to it, again without public scrutiny." Or even anyone
necessarily noticing. It's like knowing that Google Safe Search is
on, but not being able to change your settings.

Of course, blacklists are not infallible. The website Wikileaks
recently obtained a copy of the list kept by the foundation's
Danish equivalent - also unsupervised by government. It shows a
number of erroneous blocks, such as the URL of a Dutch haulier, as
well as legitimate adult domains.

For an organisation so often accused of being secretive, the IWF
headquarters, in a converted townhouse on a leafy and innocuous
Cambridgeshire housing estate, does not do much to dispel the
image. At first glance the place resembles a large suburban home.
Inside, a spacious, bright reception leads to an equally airy
office area and conference rooms. The sense of openness extends
only so far, however. The IWF let us know beforehand that it
refused to allow any photography on site.

As a charity, the IWF must publish accounts - most recently for the
year ending March 2008. The largest single donor was the European
Union. It gave the organisation £320,837 in 2007 and £146,929 in
2008. The largest revenue stream, however, was "subscription fee
income". This was £623,542 in 2006, £700,533 a year later and
£754,742 in 2008.

Who pays the "subscription fee"? The major ISPs and a clutch of
big-name brands such as Royal Mail and Google. The IWF's website
solicits such payments, explaining that "being a member of the IWF
offers many benefits including practical evidence of Corporate
Social Responsibility - enhanced company reputation for consumers
and improved brand perception and recognition in the online and
digital industries". All yours for £20,000 per annum - if you're a
"main ISP". Smaller fish are advised to pay between £5,000 and
£20,000, and "very small" firms are steered towards "£500 to
£5,000". Sponsors, which "support us with goods and services to
help us pursue our objectives", include Microsoft. Additional money
comes from what the IWF calls "CAI income". This is revenue from
licensing the list of prohibited URLs to private net-security
outfits. It totalled £5,183 in 2007, but had jumped to £40,734 a
year later. In 2006, the IWF also received £14,502 from the Home
Office.

The Charity Commission accounts state that the IWF has 13 employees
and no volunteers - unusual for a charity. Its staff costs were
£520,847 in 2008, with one person earning more than £50,000.

But back to that £14,502 from government. We asked the IWF what the
Home Office money was for, but Peter Robbins, the chief executive,
would only say it was for "a project". "You don't need to
know."

Sarah Robertson, IWF's head of communications, has dealt before
with concerns about the IWF's links to the Home Office. She's quick
to dismiss the notion that the blacklist is any way influenced by
the government. "Supposedly, the IWF compiles the list, passes it
on to the Home Office twice a day, the Home Office adds whatever
they want to it, the IWF doesn't look at it, then it goes out...
Hmm." She smiles. "They don't. I don't see why they would. It's a
voluntary initiative. The government has expressed an expectation,
but they haven't legislated. The industry was already doing it.
Because they wanted to protect their customers."

Robertson lays out the process behind the blacklist. Updated twice
a day, the URLs on the list are those reported to the IWF by
concerned members of the public via the organisation's hotline and
website. Relevant IWF staff - police-trained internet content
analysts - then draw on their legal training to determine whether
the content is "potentially illegal". "We use the term 'potentially
illegal'," Robertson explains, "because we are not a court. It's
assessed according to UK law. I read certain articles that talk
about the IWF's 'arbitrary scale'. It's the law." The law she
refers to is the Protection of Children Act 1978 (as amended by,
among others, the Sexual Offences Act 2003), which makes it "an
offence to take, make, permit to be taken, distribute, show,
possess with intent to distribute, and advertise indecent
photographs or pseudo-photographs of children under the age of
18".

Robertson insists that the Home Officen has never expressed a
desire to get involved in the foundation's day-to-day proceedings,
before elaborating on its independent nature. "We are inspected,
not by the Home Office, but they expect us to subject ourselves to
inspections. They ask us to subject ourselves to external scrutiny,
despite the reams and reams of articles I've been reading about how
we're 'shadowy' and 'unelected'.

"Obviously we're not elected," she continues. "But we try to be as
transparent as we possibly, possibly can. We're also audited
externally by independent experts in law enforcement, forensics,
technological security and HR issues."

This is true: the last independent audit of the IWF was in May
2008, and the organisation allegedly passed with flying colours. We
have to say "allegedly", however, because the audit itself hasn't
been published - and despite requests from Wired, the IWF intends
to keep it confidential. The blacklist also remains undisclosed.
"Obviously the list is never going to be given out," says
Robertson. "No one gets it [unencrypted]. We don't allow a list of
abusive images to be released to the public. What we can say is
that details of every URL on it are shared with the police." She is
unwilling to elaborate on other details: "I'm sure you'll
understand that we can't give full details of how the list is
provided. Sadly there are a lot of people out there who would take
delight in getting it."

Robertson maintains that she can understand the concerns from
certain quarters. "We do engage the civil-liberties groups; they
help me understand their point of view, and I find it all very
interesting."

Although the IWF has publicly said it "learnt lessons" from the
Wikipedia-Virgin Killer fracas, its blacklist strategy is
not changing. "As for the design of the list, there were meetings
when we started with engineers from all the companies and everyone
involved, very technical people - all of whom decided that [the
status quo was] the simplest and easiest-to-implement way… People
say, 'Why don't you just block the image?' You can't. When you've
got a thousand different URLs on your list, you can't have
different rules for each."

Wired UK

It is not a prerequisite for IWF members to implement the
blacklist - it is simply there, should they want it. The IWF
maintains that it strives to ensure cost is not a barrier to
implementation by smaller ISPs. The IWF is also not the one
carrying out the blocking - that is left to the actual ISPs. "We
just provide a list of URLs," Robertson insists. Of course, the
list is blind, and an ISP blocks all of it or none of it.

The Home Office declined an invitation to take part in an
interview, and rejected our Freedom of Information requests. We
asked for details of the relationship between the Home Office and
the IWF, and in particular about the latter's discussions with Home
Offce minister Vernon Coaker. Our request was refused under the
clause in the FOI Act that allows ministers to withhold information
if they consider the disclosure might inhibit "the free and frank
provision of advice and the free and frank exchange of views for
the purpose of deliberation". It added: "We have decided that it is
not in the public interest at this time to disclose this
information." (You can read our entire correspondence with the Home
Office at tinyurl.com/d67uzn.) It
did issue this statement: "Over 95 per cent of consumer broadband
connections are covered by blocking of child sexual-abuse websites.
The UK has taken a collective approach to addressing this issue and
has had considerable success in ensuring that the sites on the IWF
list are blocked. We will continue to consider what further action
or measures might be needed."

What about the world outside CAI? Although the IWF is not solely
responsible for blocking pornographic images of children, the other
areas it deals with - incitement to racial hatred, criminally
obscene content - are not subject to the blacklist. Robertson told
us that there was no racial-hatred material hosted in the UK last
year, and the number of cases of criminally obscene content per
annum can be "counted on one hand".

Earlier this year legislation was passed that outlawed "extreme
pornography", thereby adding the category to the IWF's watchlist of
illegal material. And catching the eye of Parliament of late have
been "anorexia promoting" websites. Mark Hunter MP in particular
has been anxious to raise the issue.

Lilian Edwards, meanwhile, proposes a new direction for the IWF,
which indicates an active preference for governmental
administration and which would be more accountable under UK law and
less susceptible to whispered doomsday scenarios. "It is high time
that the IWF was reconstituted as a public body," she says. "Having
the cooperation of the ISP industry does not give them the
authority or the safeguards of a public or judicial body. Books get
censored by independent and public courts. Why don't
websites?"

John Ozimek has further concerns. "There is an interesting line of
thought running around the security world that suggests that this
is counterproductive. The majority of [CAI] material is not 'out
there' on the web any more. It's available via P2P. The more
pressure there is on net-based porn, the more networks move to
circumvent government measures." So blocking may not be the best
solution.

In January 2009 - shortly after the dust had settled on the
Wikipedia case - the IWF found itself under scrutiny once more when
a blacklisted image on the Internet Archive's Wayback Machine
resulted in some UK internet users being unable to access the
entire site. Later resolved and explained as a "technical error",
the incident threw more meat to those who had already decided that
the IWF was becoming increasingly maverick. "As an industry," Keith
Mitchell elaborates, "we have done a lot, but the internet illegal
economy, including spammers, botnets and those who host child porn,
will not go away… It would be good to see some enforcement action
rather than misguided censorship attempts, which damage freedoms
for the majority of law-abiding internet users."

Among all parties, there is one agreement: the fight against CAI is
an invaluable one. The killer questions revolve around the power
behind that fight - can a non-governmental body be trusted with
unprecedented censorship muscle? - and whether, by concentrating on
URLs rather than file-sharing, that body is even fighting any
longer in the right arena.

Edited by Michael Parsons

Comments

I did a lot of the press for WMF in the UK during the Dec 2008 Wikipedia block. One fact that didn't come out until Monday night (by which time the news cycle was over) - the IWF blocked the encyclopedia article text on Virgin Killer and the page describing the image, both on en.wikipedia.org ... but they *did not* block the actual image, which was on the image server (upload.wikimedia.org).

Thus - they censored text and failed to censor the image they'd claimed was all they were blocking.

Hamfisted *and* incompetent.

David Gerard

May 20th 2009

It's a good thing we have various tools to help us stay anonymous online.